Lumu reports are another outlet to provide even further visibility to organizations about the cybersecurity state of their network. Lumu reports show the compromise data of your organization categorized and neatly displayed for easy understanding and analysis. These reports are generated and sent automatically to members of an organization based on their individual settings; this is something that your organization can configure based on your specific business needs. To learn about this configuration, refer to our article on email settings. 

In this article, we will learn about the proper way to use Lumu Reports to get the most out of them to measure the effectiveness of your defense strategy and operate your network’s cybersecurity proficiently. 

We will go over each section taking a look at what you will find and how you can use it to optimize your cybersecurity operation.

Cover and Table of Contents

The cover will display your organization’s basic information, the time period covered by the report which was previously set for the account, as well as the time zone that the times in the report will use. 

There is also a table of contents that will help you move through the document easily in case you want to look at a specific section. 

Security Operation Summary

This section will provide you with an overview of your incident activity throughout the period of the report. You will see relevant data and metrics that will help you understand the performance of your operation compared to the previous report. This data will help you evaluate whether your current approach is providing the expected results and act accordingly. 

Since the data shown in this section is rather high-level and easy to understand, it’s ideal for members of your organization in managerial positions supervising and making decisions over your defense strategy who have no use for the finer details. 

Now, let us take a look at the specific metrics:

General metrics

This subsection covers some general incident information of this period. It includes:

• All Traffic: All the records analyzed by Lumu in this period. You will also see how this indicator compares with the previous period percentually. 
• Average Traffic/day: The total traffic divided by the number of days in the selected period. You will also see how this indicator compares with the previous period percentually. 
• New Incidents this period: Total number of detected incidents in the analyzed period. You will also see how this indicator compares with the previous period percentually. 
• Total Adversary Contacts: Total amount of contacts with adversarial infrastructure during the analyzed period. 
• Incidents Responded Automatically : This is the number of incidents that were responded to by Lumu's out-of-the-box response integrations during the period. Remember that OOTB response integrations are a feature exclusively available to Lumu Defender accounts.
• Threat Type Distribution: All of the period’s incidents distributed by type.
  

Along this report, you will find some indicators accompanied by an orange shield icon. This icon identifies features exclusive to the Lumu Defender tier, as well as incidentes responded to automatically.

Operational Metrics

This subsection displays metrics related to your team’s operation of detected incidents in the Lumu Portal. You can h ead to our documentation to learn more about the Incidents view.

When an incident shows up in the portal, your team must change its status according to the actions they take to mitigate and solve it, even if said action is closing the incident because it is irrelevant to your operation, for instance. 

The maxim of incident operation is to take action , because an incident that you postpone, is an incident that will make noise and hinder your operation, or even worse, a potential attack. 

Now, let us take a look at the specific metrics of this subsection.

• Open incidents from previous period: Number of open incidents at the end of the previous period. You can also see how they are distributed based on business relevance according to your labels. 
• Unresolved incidents at the end of period: Number of incidents that haven’t been marked as Closed by the end of the period covered by the report. You will see how they are distributed between Pending and In Progress, as well as their business relevance according to your labels.
• Incidents resolved during this period: Number of incidents marked as closed during the period covered by the report. You will also see how this indicator compares with the previous period percentually.

Performance

This subsection has some relevant indicators regarding the performance of your cyberdefense strategy, and of your cybersecurity team. 

• Average daily incidents: This indicator represents the total number of incidents detected during the analyzed period divided by the number of days. This can provide an idea of how vulnerable your network is, and how active your organization’s adversaries are during the analyzed period compared to the previous one. 
• Average resolution time : This indicator represents the average number of days it took to resolve the incidents closed during this period. The resolution time of an incident is counted from the creation date of said incident, which means that closing an incident that has been open for a while will result in this indicator having a higher value. You will also see how this indicator compares with the previous period percentually
• Mean Time to Respond (MTTR) : This is the average time it takes for your team to respond to incidents from the moment they are created. Defender customers can do so quite fast thanks to Lumu’s automated response.

Highlights

This subsection shows a digest of the indicators presented in this page in the form of three simple indicators. These are: Incident rate, Capacity to Operate, and Top threat type. These will give you an overview of your team’s response capacity against the incident load of your organization so you can make informed decisions. 

You will also receive some automated suggestions based on your results. 

Automated Response with Lumu Defender

This is all the information related to incidents responded to by Lumu’s out-of-the-box automated integrations. This feature is exclusive to Lumu Defender accounts, so this section will only contain a call to action if you have a Lumu Free or Insights account. 

Response integrations

This subsection shows you a summary of the incidents that were automatically responded to during the reported period. This summary includes a breakdown of the IoCs that were analyzed during the period, their types and business relevance, as well as an estimate of the number of work hours Lumu’s automated response has saved for your organization. You can also find an aggregate of all the IoCs Lumu has analyzed historically in your network. 

Response integrations in operation throughout this period

This subsection will show you all of your account’s active integrations, each with the total number of incidents, IoCs, and threat types each handled during the reported period, and since they were activated. 

Open Incidents

This section gives you detailed information about your cybersecurity operation. You will be able to see how your incidents are distributed across your network, their business impact, and risk level, as well as the endpoints and segments where adversary activity is concentrated around. 

This section will help you understand which incidents and segments you must prioritize to mitigate compromise, and which others may be causing unnecessary noise without presenting any risk to your organization. Now, let’s take a look at some of the indicators presented in this section and how you can use them. 

Incident Distribution Overview

This is an overview of some generally relevant indicators, such as open incidents, divided into incidents you haven’t operated on (Pending), and incidents you’ve started operating on, but haven’t closed (In Progress), and how many incidents were responded to automatically. You will also see how many endpoints and labels were affected, as well as the number of adversary contacts in the analyzed period.

Remember that any incident operation you may want to undertake should be done from the Incidents view on the Lumu Portal. You must compare the data found in your report with the information tracked by the portal to find which incidents and endpoints to prioritize.

Incident Distribution by Risk Level

Risk level is one of the primary factors that you should consider when prioritizing incidents alongside business impact. This section will give you an overview of how your open incidents are distributed between different levels of risk: Critical , Significant , and Moderate . 

• Critical: This risk level is assigned to incidents in the most advanced stages of execution and that will very likely result in damage to your organization. This should be prioritized immediately and with urgency. 
• Significant: This risk level is assigned to incidents in intermediate stages of execution where your organization may not be in immediate risk, but the adversary is gaining the advantage. 
• Moderate: This risk level is assigned to incidents in early stages of execution that may not represent an immediate threat to your organization. 

You can use this information alongside Business Impact and your configured labels to prioritize incidents and make effective decisions. 

Top 5 Affected Endpoints

These are your network’s most affected endpoints, which translates into the ones that may represent the most risk to your organization. You must configure your labels appropriately to make effective use of this information, since it’s common to find noisy and irrelevant assets here that could have been muted to optimize your risk detection, such as devices connected to public networks, for instance. 

If your labels are properly configured, this may be invaluable data to prioritize vulnerable endpoints and protect your network. 

Distribution by Business Impact

This is an overview of how your open incidents are distributed between three different levels of business impact: High , Medium , and Low .

These impact levels are assigned while configuring your labels, which means that the information shown here will be accurate if you have configured your labels properly. 

Check our documentation to learn more about labels.

Business impact is the primary criteria when prioritizing incidents to operate on, as high business impact assets are the closest to the heart of your operation; if they are affected or close to being affected, it means that your business is closer to being impacted. 

Top 5 Incidents by endpoints affected

These are the indicators of compromise that have affected the highest number of endpoints in your organization during the analyzed period. You can use this information to pinpoint the most dangerous threats for your organization and prioritize them in your defense strategy. 

Top 5 Incidents by endpoints affected

These are the indicators of compromise that your organization has been in contact with the most during the analyzed period. You can use this information to find out which threats have been more active and trying to reach and compromise your organization so you can make effective decisions regarding your defense. 

Highlights

These are some relevant highlights from this section that you can use as a very high level summary. You will find the most affected endpoint, most prevalent risk level, and most affected business relevance. 

Active Incidents During Reporting Period

This is a breakdown of all the incidents that have presented activity during the analyzed period. Active incidents should be at the top of your priorities because they may be related to ongoing attacks, so it is vital to have detailed data about them. 

Active Incidents at a glance

This is an overview of your organization’s open incidents during the analyzed period. You will find relevant data such as the number of adversary contacts, as well as labels and endpoints affected. 

Top 5 affected labels

These are the labels with the most detected incidents throughout the analyzed period. This information, combined with the business relevance of said labels provides vital information on which labels to prioritize. 

Top 5 Affected Endpoints

These are the most affected endpoints throughout the analyzed period. You will see a breakdown of the types of incidents that have affected each. When combining this data with the top affected labels and their business relevance, you will have more information to take action and operate on your most vulnerable assets. 

Top 5 incidents by endpoints affected

These are the active incidents that affected the highest number of endpoints throughout the period. This will help you pinpoint the most widespread indicators of compromise on your network. When you combine this information with other indicators in this document, you will be able to pinpoint the most dangerous active threats that you should prioritize.

Top 5 incidents by adversary contacts

These are the incidents with the highest number of adversary contacts on your network throughout the analyzed period. This information will help you understand which threats are making the most attempts to communicate with your network. These aren’t necessarily the most dangerous threats, but this information can become critical when you combine it with other criteria exposed throughout this article. 

Playback Related

These are the incidents retroactively detected by Lumu Playback during this period. Check our documentation to learn more about Playback. 

You will see some detailed data about the threat type, state of the incident, number of contacts and endpoints affected, as well as their last contact date. Since the incidents detected by Playback can be up to two years old, it’s vital to pay close attention to the ones that show recent activity, since that may mean an IoC has been acting against your network for a prolonged period of time without your knowledge.